One of the threats in cyber security is the use of a distributed denial of service (DDoS) attack. In such an attack, a network device (commonly a server) is bombarded with IP packets in various forms (e.g., email, file transfers and ping/UDP/ICMP floods, and the like) from many sources, so that the network device (ND) is overloaded and rendered useless for normal operations. Typically, the participating sources are themselves victims because the offending instructions and codes were planted ahead of time via computer viruses to be activated simultaneously at some later date to overwhelm the ND. Traditional preventative methods, such as so-called “firewalls,” are not effective against such attacks because such methods may only be programmed against known threats and the filtering is not responsive when normally acceptable IP packets begin causing problems within the network.
Generally, networks attempt to detect the onslaught of a DDoS attack and identify the servers and sub-networks under attack. Because it is not known ahead of time which ND will be attacked, all traffic going to all NDs needs to be monitored, generally by devices known as network processors (NP). Consequently, the scalability of such a monitoring process is of paramount concern because of the potentially large number of hosts and sub-networks needed to be protected and the high volume of traffic that needs to be examined by network processors in real-time.
If a monitoring process attempted to monitor and catalog every detail of every IP packet, the monitoring system would quickly become overwhelmed. Thus, to effectively prevent DDoS attacks, NPs must operate using a minimum number of states or traffic statistics in order to keep storage and computational requirements within a practical range.
Furthermore, since the attacks may originate from multiple sources (i.e., distributed attacks), such distributed source attacks are difficult to identify because of an inability to aggregate, correlate, and consolidate possible incidents occurring at routers residing along a security perimeter. In other word, instead of a single NP detecting an attack, slow attrition of packets though multiple NPs to the victim (i.e., the aggregation of attacking packets from multiple sources) may cause victim to be overwhelmed. Such distributed attacks from multiple sources are difficult to defend against, since once an unrealized distributed attack has converged upon the victim, it is already too late. Unfortunately, there are presently no efficient techniques used to aggregate, correlate, and consolidate packet traffic through the NPs along a security perimeter to defend against such DDoS attacks generated by a distributed and/or slow attrition of packets though multiple NPs to the victim.
Accordingly, there is need for highly efficient methods, as well as apparatus for detecting, identifying, and preventing distributed DDoS attacks.